ISC StormCast for Tuesday, October 18th, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 18 October 2022
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, October 18th, 2020 edition of the Sansonet Storm Center's Stormcast. |
| 0:09.5 | My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:16.2 | So here today wrote up a philess power-shell dropper and now fileless, well, she doesn't mean zero files, |
| 0:22.5 | but it minimizes interaction with the file system by actually using registry keys, which |
| 0:29.6 | of course is fairly common. |
| 0:31.9 | The keys in this case look random, but are always the same for this malware, so makes real nice specific indicators |
| 0:39.5 | of compromise if you want to look for it. While the tropper is creating and reading the |
| 0:46.2 | register keys, it has pretty low virus total scores. However, it will then install a DLL and that one does have a decent recognition |
| 0:58.5 | among the anti-malvary tools in a virus total. But again, that's a little bit of the point here. |
| 1:04.5 | The dropper itself is of course the part that's sort of then more consistent and persistent |
| 1:10.7 | on the system. |
| 1:11.9 | If a particular malware that's being installed by the dropper does have high recognition, |
| 1:19.0 | then an attacker could easily swap it out for something else. |
| 1:25.6 | And yet again, we have a remote code execution vulnerability in a frequently used Java library. |
| 1:32.9 | This time it is Apache Commons text, and version 1.5 through 1.9 is vulnerable. |
| 1:43.3 | The library is used to process text strings, essentially, and one of the features is its ability |
| 1:51.5 | to interpolate, to basically expand little macro, sort of that you can define it, and |
| 1:57.5 | one of these interpolations is a URL that will then write a file to the file system that is loaded from that URL. |
| 2:08.6 | Proof of concept exploit has already been published and it's actually a real straightforward vulnerability because it just uses a particular feature, not necessarily |
| 2:19.5 | sort of an exploit per se. However, how much this affects a particular application really |
| 2:26.3 | depends. And people already have compared this to Log 4J. Somewhat true, I think, because |
| 2:33.0 | it is a very popular Java library, but really depends on how you're using this library and how, which features actually are using. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.